2066773 – The /tmp/v2v.XXXX directory has incorrect permisison if run v2v by root

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2066773 - The /tmp/v2v.XXXX directory has incorrect permisison if run v2v by root

Summary: The /tmp/v2v.XXXX directory has incorrect permisison if run v2v by root

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	virt-v2v
Sub Component:
Version:	9.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Richard W.M. Jones
QA Contact:	Xiaodai Wang
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2068136 (view as bug list)
Depends On:
Blocks:	2066775
TreeView+	depends on / blocked

Reported:	2022-03-22 13:12 UTC by Xiaodai Wang
Modified:	2022-11-15 10:23 UTC (History)
CC List:	8 users (show)
Fixed In Version:	virt-v2v-2.0.7-1.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2066775 (view as bug list)
Environment:
Last Closed:	2022-11-15 09:56:05 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-116388	0	None	None	None	2022-03-22 13:20:25 UTC
Red Hat Product Errata	RHSA-2022:7968	0	None	None	None	2022-11-15 09:56:20 UTC

Comment 1 Richard W.M. Jones 2022-03-22 13:24:02 UTC

This is another side effect of https://bugzilla.redhat.com/show_bug.cgi?id=1045069
When virt-v2v runs as root, libvirt runs qemu as a non-root user (eg. qemu:qemu).
This means that qemu cannot open /tmp/v2v.<RAND>/in0, with this error:

  [   1.0] Opening the source
  virt-v2v: error: libguestfs error: could not create appliance through 
  libvirt.

  Try running qemu directly without libvirt using this environment variable:
  export LIBGUESTFS_BACKEND=direct

  Original error from libvirt: internal error: process exited while 
  connecting to monitor: 2022-03-22T13:19:56.454788Z qemu-kvm: -blockdev 
  {"driver":"nbd","server":{"type":"unix","path":"/tmp/v2v.AuSBWm/in0"},"node-name":"libvirt-2-storage","cache":{"direct":false,"no-flush":true},"auto-read-only":true,"discard":"unmap"}: 
  Failed to connect to '/tmp/v2v.AuSBWm/in0': Permission denied [code=1 
  int1=-1]

(With LIBGUESTFS_BACKEND=direct it does work because we don't use libvirt).

To avoid this we have to set the directory with that socket to 0711:

https://github.com/libguestfs/virt-v2v/blob/b365a87b99a7630afc974667dbe23135e35ba4d0/v2v/v2v.ml#L48

This avoids the above error, but introduces the current one instead.

Comment 2 Richard W.M. Jones 2022-03-22 14:37:14 UTC

Patch posted:
https://listman.redhat.com/archives/libguestfs/2022-March/028449.html

Comment 3 Laszlo Ersek 2022-03-23 10:44:07 UTC

Additional cleanup after Rich's v3:

[v2v PATCH] nbdkit, qemuNBD: run_unix: formally require externally provided socket
Message-Id: <20220323104330.9667-1-lersek>
https://listman.redhat.com/archives/libguestfs/2022-March/028464.html

Comment 4 Laszlo Ersek 2022-03-23 12:44:16 UTC

Upstream commits:

     1  4e7f20684373 lib: Improve security of in/out sockets when running virt-v2v as root
     2  9788b06765af nbdkit, qemuNBD: run_unix: formally require externally provided socket

Comment 7 Xiaodai Wang 2022-03-24 11:18:14 UTC

Verified with virt-v2v-2.0.1-1.el9.x86_64.

1. Run v2v by root and check the permission of the /tmp/v2v.xxx directory.
# ll /tmp/v2v.LSsUhy
total 12
-rw-r--r--. 1 root root   0 Mar 24 06:37 copy
srwx------. 1 qemu root   0 Mar 24 06:35 in0
srwx------. 1 qemu root   0 Mar 24 06:37 out0
-rw-r--r--. 1 root root 471 Mar 24 06:37 out.params0.json
-rw-------. 1 root root 168 Mar 24 06:37 v2vprecheck.json
-rw-------. 1 root root 173 Mar 24 06:37 v2vtransfer.json

2. Access the file in that directory by non-root user.
$ ll -d /tmp/v2v.LSsUhy
drwx------. 2 qemu root 113 Mar 24 06:37 /tmp/v2v.LSsUhy
$ ll /tmp/v2v.LSsUhy/in0
ls: cannot access '/tmp/v2v.LSsUhy/in0': Permission denied

3. Run automation scripts to verify the basic function and make sure no regression. 

# avocado run --vt-type v2v convert_vm_to_ovirt.esx.vm.7_0.linux.latest8.arch_x86_64.raw_f.NFS.rhv_upload.rhv_direct.rhv_noverifypeer.preallocated.it_vddk convert_vm_to_ovirt.esx.vm.6_5.linux.latest8.arch_x86_64.raw_f.NFS.rhv_upload.rhv_direct.rhv_noverifypeer.preallocated.it_vddk
JOB ID     : af2d095bd50ec34f53b79fae4d08c2c4faa75bbf
JOB LOG    : /root/avocado/job-results/job-2022-03-24T06.35-af2d095/job.log
 (1/2) type_specific.io-github-autotest-libvirt.convert_vm_to_ovirt.esx.vm.7_0.linux.latest8.arch_x86_64.raw_f.NFS.rhv_upload.rhv_direct.rhv_noverifypeer.preallocated.it_vddk: STARTED
█ 100% [****************************************]
 (1/2) type_specific.io-github-autotest-libvirt.convert_vm_to_ovirt.esx.vm.7_0.linux.latest8.arch_x86_64.raw_f.NFS.rhv_upload.rhv_direct.rhv_noverifypeer.preallocated.it_vddk: PASS (306.28 s)
 (2/2) type_specific.io-github-autotest-libvirt.convert_vm_to_ovirt.esx.vm.6_5.linux.latest8.arch_x86_64.raw_f.NFS.rhv_upload.rhv_direct.rhv_noverifypeer.preallocated.it_vddk: STARTED
█ 100% [****************************************]
 (2/2) type_specific.io-github-autotest-libvirt.convert_vm_to_ovirt.esx.vm.6_5.linux.latest8.arch_x86_64.raw_f.NFS.rhv_upload.rhv_direct.rhv_noverifypeer.preallocated.it_vddk: PASS (2075.30 s)
RESULTS    : PASS 2 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0
JOB TIME   : 2382.91 s

# avocado run --vt-type v2v convert_from_file.positive_test.linux.input_mode.ova.parse.SHA1_SHA256.output_mode.rhev.rhv_upload
JOB ID     : 082a05a6a536dbf4ab60ad5f1171dad2e6c82c9c
JOB LOG    : /root/avocado/job-results/job-2022-03-24T06.22-082a05a/job.log
 (1/1) type_specific.io-github-autotest-libvirt.convert_from_file.positive_test.linux.input_mode.ova.parse.SHA1_SHA256.output_mode.rhev.rhv_upload: STARTED
█ 100% [****************************************]
 (1/1) type_specific.io-github-autotest-libvirt.convert_from_file.positive_test.linux.input_mode.ova.parse.SHA1_SHA256.output_mode.rhev.rhv_upload: PASS (120.45 s)
RESULTS    : PASS 1 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0
JOB TIME   : 122.41 s

Comment 8 Richard W.M. Jones 2022-03-24 17:32:33 UTC

*** Bug 2068136 has been marked as a duplicate of this bug. ***

Comment 9 Xiaodai Wang 2022-03-29 06:26:09 UTC

The automation job were also triggered to make sure there is no regression issue.

https://libvirt-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/v2v/view/RHEL-9.1/job/v2v-RHEL-9.1-runtest-x86_64-function-function_test_esx-rhel/1/testReport/rhel/function_test_esx/
https://libvirt-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/v2v/view/RHEL-9.1/job/v2v-RHEL-9.1-runtest-x86_64-function-convert_from_file-rhel/1/testReport/rhel/convert_from_file/
https://libvirt-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/v2v/view/RHEL-9.1/job/v2v-RHEL-9.1-runtest-x86_64-function-function_test_xen-rhel/1/testReport/rhel/function_test_xen/

The failure script in the jobs were known issues and have nothing to do with this bug.

So I think this bug can be moved to VERIFIED.

Comment 11 errata-xmlrpc 2022-11-15 09:56:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: virt-v2v security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7968

Note You need to log in before you can comment on or make changes to this bug.